Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Privacy fact sheet 15: Tips for protecting the personal information in your My Health Record

If you have a My Health Record or are considering whether to get one, this fact sheet explains what to consider over the lifetime of your record.

What is a My Health Record?

A My Health Record is an online summary of your health information, such as medicines you are taking, any allergies you may have and treatments you have received. It was previously known as a Personally Controlled Electronic Health Record (PCEHR) or eHealth record.

Your My Health Record allows your doctors, hospitals and other healthcare providers (such as physiotherapists) to view your health information, in accordance with your access controls. You are also able to access it online yourself.

The My Health Record system opt-out period commenced on 16 July 2018, and you now have until 15 November 2018 to advise the Australian Digital Health Agency if you do not want a My Health Record to be automatically created for you. Although the My Health Record system has previously been a self-register model, every individual with a Medicare or Department of Veterans’ Affairs card who does not already have a record will now be automatically registered to have a My Health Record, unless they choose not to have one.

For further information about the My Health Record and what to do if you don’t want a record created, visit the My Health Record website or call the My Health Record helpline on 1800 723 471. You can also read the OAIC’s opt-out FAQs.

This fact sheet is for everyone who already has or will soon have a My Health Record, and anyone else who is considering having one automatically created for them during the opt-out period.

1. Read the System Operator’s privacy policy carefully

Make sure you understand how the information in your My Health Record can be collected, used and disclosed.

The System Operator (the Australian Digital Health Agency) is responsible for the operation of the My Health Record system. You can read the privacy policy, which applies to personal information collected by the Australian Digital Health Agency for the My Health Record system on their website.

If you have any questions about this, call the My Health Record Help line on 1800 723 471.

2. Be aware of the different access settings available to you

Consider setting your access controls for your My Health Record. It’s a good idea to review them regularly, especially if your circumstances change or you begin treatment with a new healthcare provider. Check your ‘access list’ regularly to see who can access your My Health Record. If the default settings are set, you should know what they are and what they could mean for you. Think about whether you want to restrict which healthcare providers can access your record and what information is included.

For further information on controlling access to your record, please visit the My Health Record’s Control access to my record page or the Australian Digital Health Agency’s information sheet Keeping your healthcare information secure: Simple security and privacy tips.

3. Consider setting advanced access controls and a ‘Record Access Code’

Advanced access controls allow you to restrict which healthcare providers can access your My Health Record. You can also restrict access to particular documents, using a ‘Limited Document Access Code’. If you set up a ‘Record Access Code’, healthcare providers will only be able to check if you have a My Health Record and access it if you give them your code. Personal access controls may be overridden in an emergency, if it is unreasonable or impracticable to obtain your consent.

For further information on setting privacy and security controls on your My Health Record, please visit the My Health Record’s Set up privacy and security controls page. To find out more about emergency access, please visit the My Health Record’s Emergency access to My Health Record page.

4. Read the privacy notices and policies of your healthcare providers

Different healthcare providers will have different information management practices. For example, you can restrict which healthcare providers can see your My Health Record but you cannot restrict access by individual staff members. Find out which areas of the healthcare provider will have access to your My Health Record.

5. Talk to your healthcare providers regularly about what information they will be adding to and accessing from your My Health Record. Ask how they will involve you in this process.

If you don’t want a certain document added to your My Health Record, make sure you tell your healthcare provider. If they have added a document that you don’t want on your record, ask them to remove it. If they refuse, you can remove it yourself by logging in to your record. You can later ask for it to be restored if you choose.

Documents that have been removed will still be accessible to the healthcare provider that uploaded them through their local IT system. This is because they created the documents and can access them on their own local IT system rather than specifically through your online My Health Record. They may also be retrieved for authorised purposes, such as by order of a court. However, once removed from your My Health Record, they won’t be accessible in an emergency so you should consider whether there is any information that could be needed in such a situation. It’s a good idea to discuss these issues with your healthcare provider.

6. Check your My Health Record access history regularly

Check for any unexpected or unauthorised access. The access history function identifies healthcare provider organisations that have accessed your My Health Record or uploaded a document to your record. However, if you want to find out the name of an individual who has accessed your record, you can request this by calling the My Health Record Help line on 1800 723 471. The system access history will only include access to your My Health Record. It will not include information about who has accessed information that has been downloaded into a healthcare provider’s local systems.

For further information about seeing who has viewed your My Health Record, please visit the My Health Record’s See who has viewed my record page.

7. Set up Notifications

You can monitor access to your My Health Record by choosing to receive notifications by email or SMS. You can set up notifications by logging into your My Health Record and selecting ‘Profile and Settings’. You choose to be automatically notified of the following:

  • A healthcare organisation (for example a hospital or medical practice) opens your My Health Record for the first time
  • A healthcare provider opens your My Health Record in an emergency
  • A new shared health summary is uploaded to your My Health Record
  • Advance care planning document changes (added/removed/reinstated) occur on your My Health Record
  • A Nominated Representative (for example someone you have permitted to access this My Health Record) opens your record
  • Someone new is able to access your My Health Record

It is important to note that you will not be able to receive notifications when a healthcare provider uploads a new document to your record (other than a Shared Health Summary). For this reason, you should regularly login and check your ‘Access History’ which will display any documents that have been uploaded and the name of the organisation that uploaded the document.

8. Check your My Health Record regularly to ensure that the documents it contains are kept accurate, up-to-date and complete

If any information is inaccurate, out-of-date or incomplete, ask the healthcare provider that uploaded the information to correct or complete it. If they disagree, you can ask them to attach a statement to the document stating what you consider to be inaccurate, out-of-date or incomplete. If you don’t feel comfortable approaching the healthcare provider directly, you can call the Help line on 1800 723 471. If it is a private sector healthcare provider organisation that is unwilling to correct or complete your record, you can also make a complaint to the OAIC. Old versions of documents will still be retained by the system. If there are any important documents that you think should be included on your My Health Record, talk to your healthcare provider.

9. Secure your My Health Record

Make sure you set a strong password and don’t share it with anyone else. If you are accessing your My Health Record via the online consumer portal, ensure that the device and connection you use to access your record is secure. For example, you should install reputable anti-spyware, anti-virus scanners and firewall software and avoid unsecured wi-fi networks. General advice to help you keep your information safe online is available at staysmartonline.gov.au.

10. Exercise your privacy rights

The My Health Record system is protected by the My Health Records Act 2012 (My Health Records Act). The protections in the My Health Records Act are in addition to those under existing privacy legislation. Once information is downloaded into a healthcare provider’s local records, existing privacy legislation will apply. There are civil and criminal penalties for individuals and healthcare provider organisations who don’t comply with the My Health Records Act. If you suspect that the information in your My Health Record may have been mishandled, you can complain to the entity involved or call the Help line on 1800 723 471. If you’re not happy with their response, you can complain to the OAIC.

11. Remember you can choose to cancel at any time

If you decide to cancel your My Health Record, call the Help line on 1800 723 471 and ask to have your record deactivated. It can be reactivated again later if you choose.

If you cancel your My Health Record, no one will be able to see it (including yourself) and no further information can be added onto it.

However, information in the cancelled record will be stored by the Australian Digital Health Agency until 30 years after your death, or 130 years after your date of birth (if the date of death is unknown).

For more information on how to cancel your My Health Record, please visit the My Health Record’s Cancel my record page.

More information

For more information on the OAIC’s role in the My Health Record system, please see the OAIC’s Privacy fact sheet 18: The OAIC and the My Health Record system.